topic Re: Identity Collector - LDAPS in Firewall and Security Management

Identity Collector - LDAPS

Magnus-Holmberg — Tue, 17 Dec 2019 10:14:53 GMT

Hi,

When checking SK108235 for ports.

Communication Protocols

Direction	Port	Protocol
Identity Collector to Identity Awareness Gateway	443	Proprietary Check Point protocol, over HTTPS. Used for ongoing communication between the Agent and the Security Gateway.
Identity Awareness Gateway to Domain Controller	389 / 636	LDAP / LDAPS
Identity Collector to Domain Controller	53	DNS
*Identity Collector to Domain Controller	389	LDAP
Identity Collector to Domain Controller	135, and dynamically allocated ports	DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE	5222	Session subscribe. Gets notifications of new login/logout events.
Identity Collector to Cisco ISE	8910	Bulk session download. Fetches all the active sessions from the ISE Server.

* Note: LDAPS is also optional (through port 636) when using "NetIQ eDirectory". For all other uses (which are the most common ones), we are using LDAP only.

I dont see LDAPS, 636 for standard Microsoft AD. not sure what this NetIQ eDirectory is.
When is LDAPS 636 comming for IA if its not already present, (if so i dont see where to change it in the GUI)

Regards,

Magnus

Re: Identity Collector - LDAPS

PhoneBoy — Tue, 17 Dec 2019 20:27:45 GMT

I believe it's configured on the relevant LDAP Account Unit object.

Re: Identity Collector - LDAPS

Magnus-Holmberg — Tue, 17 Dec 2019 20:39:08 GMT

Within smartconsole, yes sure.
But the Identity collector you dont have any options like that.

And Microsoft is pushing pretty hard to remove LDAP for LDAPS,

Re: Identity Collector - LDAPS

PhoneBoy — Tue, 17 Dec 2019 22:00:49 GMT

I'm guessing Identity Collector will try both LDAP and LDAPS but maybe @Royi_Priov can confirm.

Re: Identity Collector - LDAPS

Royi_Priov — Wed, 18 Dec 2019 07:11:08 GMT

Hi Magnus,

LDAP is used on Identity Collector in 2 ways:

AD integration - only for discovering the AD servers in the environment. After this discovery, the entire communication is done securely with Microsoft API. The discovery itself is performed with LDAP (not LDAPS).
NetIQ eDirectory - this is an LDAP server by NetIQ, which we are communicating over LDAP / LDAPS all the way for fetching logged in users.

Thanks,

Royi Priov.

Re: Identity Collector - LDAPS

Val1976 — Tue, 31 Jan 2023 11:59:17 GMT

Hi Royi

I have a customer that is exactly in the same situation, trying to move away from AD query and use Identity Collector... As the AD environment is configured to allow only LDAPS connections, the initial test connection to and AD server, using plain LDAP is unsuccessful and the migration cannot progress further...

Is there any way of forcing the initial test connection to use LDAPS instead of LDAP? The customer has downloaded and installed the latest version of the Identity Collector software - R81.040.0000 / 20 Sep 2022...

Thanks and best regards,

Valeriu

Re: Identity Collector - LDAPS

Zolo — Wed, 08 Feb 2023 13:32:54 GMT

Hi Valeriu,

You can connect to the "Active Directory" LDAPS server if the LDAPS certificate contains the IP address of the DC in the SAN field.

Click New Source > Active Directory > Fetch Automatically and choose LDAP over SSL.

The IC only accepts IP address and the DC IP address must be entered.

Br,

Zolo

Re: Identity Collector - LDAPS

Jöran_Kaußel — Thu, 18 Apr 2024 11:27:15 GMT

Hello Check Mates,

any tipps for those whose PKI does not support IPs in SAN field?

Any help appreciated,
Jöran

Re: Identity Collector - LDAPS

PhoneBoy — Thu, 18 Apr 2024 19:01:16 GMT

Upgrade to R82 when it's available as the validation mechanism for the LDAPS certificate will change.
Instead of validating the existing certificate, we'll ensure the certificate is valid and signed by a specific CA.

Re: Identity Collector - LDAPS

Zolo — Fri, 19 Apr 2024 06:54:17 GMT

Hello Jöran,

Good news 😀

As I checked, the latest IC version (R81.069.0000) finally supports FQDN.

Br,

Zoli

Re: Identity Collector - LDAPS

Jöran_Kaußel — Fri, 19 Apr 2024 10:30:09 GMT

Hello Zolo,

unfortunately I can't confirm. Using R81.069.0000 throughout the currently running DC migration to Windows Server 2022 I can only fetch them via the remaining 2016 DCs, not directly. And then I can't get them connected neither via IP, nor hostname or FQDN.

Fetching via IP works instantly while hostname and fqdn needs about 30 secs.

Error states "Unable to connect; please check connectivity with server and server firewall configuration". I can see tcp/udp 389 but no 636. Nothings getting dropped, tried debug options via regedit but got not significant more info other than "ErrCode (1722)" which seems to be a dead end.

Any tipps appreciated
Jöran

Re: Identity Collector - LDAPS

Jöran_Kaußel — Tue, 23 Apr 2024 17:42:54 GMT

Hello mates,

sorry for the noise. DCs local firewalls refuse to answer to RPC when freshly deployed. Problem solved from my side.

Thanks